allow email address to be "claimed" again until address is verified

[ckarlof]

moved from: mozilla/fxa-content-server#350

Example problem:

1. sign up as bob@example.com, even though you are not Bob.
2. Now Bob comes along, and tries to sign up as bob@example.com, but is not allowed to do so in the current UI.

Proposed: until an email address has been verified to be owned by someone who controls the email account, allow that email address to be used for signup again.

So, I think some things have changed from when I first encountered this. But assuming that a third party has claimed a user's address, it is a pretty poor experience for the legitimate owner to discover how to signup with their email address.

Tools -> Setup Sync, and then 'Get started' presents the signup form.

So the naive FTU enters their email address and is told: "Account already exists".

So the user then sees "Already have an account? Sign in!" and tries that, but what password are they supposed to enter?

[ckarlof]

I think this would be nice. It's something we can do after we enable Sync in Nightly.

[ckarlof]

@edmoz this will need some QA love once it hits stage.

[pdehaan]

[jbonacci]

How fun. Email stealing.

[pdehaan]

I'm already squatting on all the top -moz email addresses and planning on selling the fxa- credentials on the gray market. 💵 💰

[edwindotcom]

@jrgm actually brought this up in discussion, can you verify

[dannycoates]

Added in #593

[kparlante]

@dannycoates: is there a way to identify the "reclaimed" case in the log file?

[dannycoates]

@kparlante there isn't currently but we can certainly add something. What data would you like? Just a boolean or maybe the original create date? Can you open a new issue for it?